On Thu, Sep 22, 2005 at 04:07:06PM +0200, Martin Kraemer wrote: > I have an Apache-2.3 (HEAD revision) server with SSL, and was testing > a configuration with > SSLVerifyClient require > switched on. > > As long as the SSLCACertificateFile file contained only the cert > of my own CA, everything was fine:
I can't reproduce any issues with large CA bundles configured here using the trunk. The larger the set of CA roots configured the larger the set of names sent in the certificate request, so it's conceivable that this triggers some IO handling issue somewhere. > % strace /usr/local/apache2/bin/httpd -X > ... > write(10, "[Thu Sep 22 15:36:01 2005] [debu"..., 94) = 94 > poll(<> > > and at the client side: > > % strace openssl s_client -CAfile ssl.crt/ca-bundle.crt -cert > ssl.crt/server.crt -key ssl.key/server.key -connect mch00bcm:8443 You do mean to pass the server keypair for client authentication, right? What is the output with -debug passed to s_client? joe
